Machine Shop
	Anti-Social Engineering
	Appliances Galore

BY SIMSON GARFINKEL

KEVIN MITNICK IS the most famous computer hacker of our time. His capture in February 1995 by computer scientist Tsutomu Shimomura was the subject of three hugely popular books. Since his release from prison on Jan. 21, 2000, Mitnick has taken on the role of "reformed hacker extraordinaire"—a man who seeks to undo the damage he has done by teaching corporate America how to defend against social engineering attacks (while making a pretty penny in the process).

This month Mitnick releases his first book, The Art of Deception. It is filled with stories of how an enterprising social engineer can outsmart office workers, circumvent security technology, and generally make a mockery of our attempts to protect computers and networks. Mitnick's message is simple: Humans are the weakest link in any security system. Companies need to spend more time training their employees on how to resist such attacks.

That's all true—and not surprising to hear from an allegedly reformed con man turned security consultant. (By almost all accounts, it was Mitnick's ability to trick people, rather than his skill at computing, which made it possible for him to penetrate so many organizations.) However, Mitnick's systematic downplay of technology and its value in defending sensitive information is yet another act of deception—one that could be far more damaging than any of his other exploits to date.


Awareness Isn't Everything
To be sure, many organizations need to improve the security of their "human factor." Social engineers use internal phone numbers, knowledge of procedures and even industry lingo to gain the trust of their intended victims.

One Mitnick anecdote: The intrepid social engineer calls up the network operations center of a cell phone company during a snowstorm. After befriending the operators, he asks them: "I left my SecureID card on my desk. Will you fetch it for me?" he asks. Of course, the network operators are too busy to do that, so they do the next best thing: They read off the ever-changing code on their own token, allowing the hacker to break in and steal the company's source code. In this example, the caller is able to "prove" his identity by telling the network operators his office number, the department where he worked and the name of his supervisor—all information that the attacker had gleaned from previous phone calls to the company. Mitnick's message is that organizations need to treat phone lists, org charts, technical procedure manuals and other information as highly confidential in order to protect themselves from social engineering attacks.

Alas, trying to keep such information confidential is ultimately a losing proposition: Companies simply can't assume that this information won't get out to competitors, recruiters and potential attackers. If nothing else, employees are sure to take this information with them when they switch jobs. Years of effort have also shown the difficulty in training people to resist social engineering attacks—these attacks are so rare that the troops just don't get enough practice.

Instead, companies need to adopt both procedures and technology to minimize the impact that

Perhaps you can't prevent an employee from e-mailing a critical file to a spy, but you don't have to keep yourself in the dark about it.

such confidential information loss can have—and to create systems and organizations that are resistant to social engineering attacks.

For example, many of the cons in Mitnick's book revolve around the theft of a credit card or Social Security number. In one case, the social engineer who pretends to be the manager at one video store builds up a friendship over the telephone with the clerk at a sister store across town. Then one day the engineer calls up the clerk, claims that his computer is down, and says, "I've got a customer of yours here who wants to rent Godfather II and doesn't have his card with him.... Could you verify his information for me?" Trying to help, the befriended clerk reveals the target customer's name, address, credit card number and his recent rentals.

It's important to teach clerks not to reveal such information over the phone. But there's also a technical solution: Terminals and application programs used by customer service representatives should never display a customer's credit card number. This is not a new idea; many firms, including VoiceStream and Amazon.com, have already deployed such technology. These companies have computer systems that keep customer credit card numbers on file for automatically billing future purchases, but the systems will not reveal a stored credit card number to either the customer or a customer service representative.


Simple Steps
Many of the most ingenious computer hacks in The Art of Deception are surprisingly simple: Time after time, the narrator simply convinces an innocent office worker to run a remote control program such as Netbus or Back Orifice on their office PC. Once the program is installed, the hacker can reach behind the company's firewall and probe for confidential Microsoft Word files, examine e-mail or an appointment calendar, or whatever. This attack is particularly effective when it's carried out against some high-level executive's secretary.

A likely attack? Definitely. But experience has shown that judiciously used technology can prevent clerical staff from running the vast majority of malicious software. Most hackers are incapable of writing their own so-called Trojans; instead, they use malicious software that's already in circulation—and that's already recognized by today's antivirus systems. Good antivirus systems won't let a Trojan be downloaded over the Web or by e-mail, they won't let it be copied onto a user's hard drive from a floppy, and if the software is downloaded, the antivirus won't let it run.

A more radical technical solution, of course, is simply to avoid running Microsoft products. Although Mitnick never says so, social engineers, virus writers and computer attackers of all stripes have benefited immeasurably by the computational monoculture that much of corporate America has created on the desktop. Companies with Macs or Linux on the desktop simply don't have problems with viruses and other hostile code that haunt most Microsoft shops.

Most companies don't know when they've been hacked. It's all too easy for a social engineer

The best way to teach employees techniques for resisting social engineering is to repeatedly hit them with mock social engineering attacks.

to erase a log file or have an employee unwittingly e-mail a file to a "drop dead" mailbox somewhere outside the country. Again, this is a job for technology: For a few hundred dollars most companies can deploy log servers—special computers that receive and record log events from elsewhere on your network but don't allow any remote access. Firewalls can be configured to log all files that are transferred in or out of an organization. Perhaps you can't prevent an employee from e-mailing a critical file to a spy, but you don't have to keep yourself in the dark about it.

Don't get me wrong: Lectures, training sessions and awareness briefings all have their place. But they only go so far. Probably the best way to teach employees techniques for resisting social engineering is to repeatedly hit them with actual social engineering attacks. That is, CSOs should "penetration test" employees, the same way we penetration test servers, firewalls and telecommunications systems.

All companies should have a policy of reporting attempted social engineering incidents to the corporate security group. Companies should then randomly call employees, attempt to hack them and see what gets reported. New employees are exceedingly vulnerable to attacks; for this reason, new employees should receive several social engineering attacks during their probationary period, and then on a regular basis throughout their career.

Fact or Fiction?
It's easy to imagine that many CSOs will be turned off by the thought of purchasing a book from a convicted computer criminal. Certainly it's not good for society when criminal hackers are rewarded for their misdeeds.

As it turns out, the courts agree. Mitnick, under the terms of his court-supervised release, is prohibited from selling his story until 2010. That's why the anecdotes in The Art of Deception are all told through the veil of fiction. Each con artist and victim is given a made-up name, history, motivation and so on. While this artifice results in a book that is unfocused and frequently repetitive, there are occasional gems contained within the book's covers—such as when Mitnick explains how Caller ID can be forged, and why it is so important to protect backup tapes.

In a way, it's too bad that The Art of Deception doesn't tell Mitnick's story. In my opinion, much of what has been said about Mitnick over the years has been bald-faced lies by government officials and others—smear jobs that had the side effect of increasing budgets for cybercrime fighters. Mitnick is in fact a person whose story deserves to be told. On the other hand, there is a big difference between reading a reformed hacker's words and hiring one to audit your internal systems. Read what Mitnick has to say, but keep him and his like away from your keyboards.


Simson Garfinkel, CISSP, is a technology writer based in the Boston area. He is also CTO of Sandstorm Enterprises, an information warfare software company.

ILLUSTRATION BY ANASTASIA VASILAKIS